Healthcare Data Security

FDA Develops Five-Point Action Plan for Improving Medical Device Cybersecurity

Posted by HIPAA Journal

The past few years have seen an explosion in the number of medical devices that have come to market. While those devices have allowed healthcare providers and patients to monitor and manage health in more ways that has ever been possible, concerns have been raised about medical device cybersecurity.

Medical devices collect, store, receive, and transmit sensitive information either directly or indirectly through the systems to which they connect. While there are clear health benefits to be gained from using these devices, any device that collects, receives, stores, or transmits protected health information introduces a risk of that information being exposed.

The FDA reports that in the past year, a record number of novel devices have been approved for use in the United States and that we are currently enjoying “an unparalleled period of invention in medical devices.” The FDA is encouraging the development of novel devices to address health needs, while balancing the risks and benefits.

The FDA has been working closely with healthcare providers, patients, and device manufacturers to understand and address any risks associated with the devices. Part of the FDA’s efforts in this area involve the development of new frameworks for identifying risks and protecting consumers.

To further protect patients and help reduce risks to a minimal level, the FDA has developed a five-point action plan (PDF). Under the plan the FDA will continue to encourage the development of new devices to address unmet health needs, while also enhancing security controls to ensure patient data remains private and confidential.

Improving Medical Device Cybersecurity

The FDA will be reorganizing its medical device center and will consolidate its premarket and postmarket offices. By leveraging the expert knowledge of staff in both offices and adopting a more integrated approach the FDA will be able to optimize decision-making. The FDA is also adopting a ‘Total Product Life Cycle’ (TPLC) approach to ensure device safety for the entire lifespan of the products.

While risks can be evaluated before the devices come to market, oftentimes those risks are not fully understood until the devices have been released and are being used by a wide range of patients and providers in different settings.

Naturally, when risks are identified in postmarket devices there needs to be a mechanism in place that allows the devices to be updated. The FDA will be exploring various regulatory options to ensure timely mitigations can be implemented, including the ability for all devices to receive updates and security patches to address newly discovered vulnerabilities.

While the FDA can ensure medical device labelling is improved to make providers aware of the safety and effectiveness of the devices, the FDA is considering additional training for providers and further education of users of the devices. The FDA also plans to develop scientific tool kits that can be used by manufacturers to ensure their premarket devices meet safety standards.

To encourage manufacturers to incorporate advanced medical device cybersecurity controls, the FDA is looking into ways it can streamline and speed up the reviewing of devices that meet and exceed safety standards.

The FDA is already promoting “a multi-stakeholder, multi-faceted approach of vigilance, responsiveness, recovery, and resilience” to ensure devices remain safe throughout their entire life cycle. The FDA is also seeking additional funding and authority to develop a public-private CyberMed Safety Analysis Board to assist with medical device cybersecurity issues, vulnerability coordination, and response mechanisms.

Members of the board would include biomedical engineers, clinicians, and cybersecurity experts who would advise both the FDA and device manufacturers on cybersecurity issues and provide assistance with adjudicating disputes.

The post FDA Develops Five-Point Action Plan for Improving Medical Device Cybersecurity appeared first on HIPAA Journal.

Version 1.1 of the NIST Cybersecurity Framework Released

Posted by HIPAA Journal

On April 16, 2018, The National Institute of Standards and Technology released an updated version of its Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework).

The Cybersecurity Framework was first issued in February 2014 and has been widely adopted by critical infrastructure owners and public and private sector organizations to guide their cybersecurity programs. While intended for use by critical infrastructure industries, the flexibility of the framework means it can also be adopted by a wide range of businesses, large and small, including healthcare organizations.

The Cybersecurity Framework incorporates guidelines, standards, and best practices and offers a flexible approach to cybersecurity. There are several ways that the Framework can be used with ample scope for customization. The Framework helps organizations address different threats and vulnerabilities and matches various levels of risk tolerance.

The Framework was intended to be a living document that can be updated and improved over time in response to feedback from users, changing best practices, new threats, and advances in technology. The new version is the first major update to the framework since 2014 and the result of two years of development.

NIST’s Matt Barrett, program manager for the Cybersecurity Framework, explained that the latest version “refines, clarifies and enhances version 1.0.” While several changes have been made in version 1.1, Barrett explained, “It is still flexible to meet an individual organization’s business or mission needs and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.”

Version 1.1 of the Cybersecurity Framework includes several updates in response to comments and feedback received in 2016 and 2017 from organizations that have already adopted the Framework.

Version 1.1 sees refinements to the guidelines on authentication, authorization and identity proofing and a better explanation of the relationship between implementation tiers and profiles. The Framework for Cyber Supply Chain Risk Management has been significantly expanded and there is a new section on self-assessment of cybersecurity risk. The section on disclosure of vulnerabilities as also been expanded with a new subcategory added related to the vulnerability disclosure lifecycle.

“Cybersecurity is critical for national and economic security,” said Secretary of Commerce Wilbur Ross. “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEO’s.”

NIST is also planning to release a companion ‘Roadmap for Improving Critical Infrastructure Cybersecurity’ later this year and will be hosting a webinar later this month to explain and discuss the version 1.1 updates to the Framework.

The post Version 1.1 of the NIST Cybersecurity Framework Released appeared first on HIPAA Journal.

Analysis of March 2018 Healthcare Data Breaches

Posted by HIPAA Journal

There has been a month-over-month increase in healthcare data breaches. In March 2018, 29 security incidents were reported by HIPAA covered entities compared to 25 incidents in February.

March 2018 Healthcare Data Breaches

Even though more data breaches were reported in March, there was a fall in the number of individuals impacted by breaches. March 2018 healthcare data breaches saw 268,210 healthcare records exposed – a 13.13% decrease from the 308,780 records exposed in incidents in February.

Records exposed by Healthcare Data Breaches (March 2018)

Causes of March 2018 Healthcare Data Breaches

March saw the publication of the Verizon Data Breach Investigations Report which confirmed the healthcare industry is the only vertical where more data breaches are caused by insiders than hackers. That trend continued in March. Unauthorized access/disclosures, loss of devices/records, and improper disposal incidents were behind 19 of the 29 incidents reported – 65.5% of all incidents reported in March.

The main cause of healthcare data breaches in March 2018 was unauthorized access/disclosure incidents. 14 incidents were reported, with theft/loss incidents the second main cause with 9 incidents, followed by hacking/IT incidents with 5 breaches reported.

Severity of Breaches by Breach Cause

Breach Cause Total Records Exposed in March Median Records Exposed Mean Records Exposed
Unauthorized Access/Disclosure 166,859 3,551 11,919
Hacking/IT Incident 54,814 5,207 10,963
Theft 40,018 1,424 8,004
Loss 5,107 1,096 1,277
Improper Disposal 1,412 1,412 1,412

Largest Healthcare Data Breaches Reported in March 2018

There were ten healthcare data breaches reported in March that impacted more than 10,000 individuals. The largest data breach resulted in the exposure of 63,551 individuals’ PHI. That incident occurred and was discovered in December 2016, although the incident has only just been reported to the HHS’ Office for Civil Rights.

While hacking incidents usually result in the highest number of exposed/compromised records, in March it was unauthorized access/disclosure incidents that dominated the breach reports.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Middletown Medical P.C. Healthcare Provider 63,551 Unauthorized Access/Disclosure
ATI Holdings, LLC and its subsidiaries Healthcare Provider 35,136 Hacking/IT Incident
City of Houston Medical Plan Health Plan 34,637 Theft
Mississippi State Department of Health Healthcare Provider 30,799 Unauthorized Access/Disclosure
Barnes-Jewish Hospital Healthcare Provider 18,436 Unauthorized Access/Disclosure
Barnes-Jewish St. Peters Hospital Healthcare Provider 15,046 Unauthorized Access/Disclosure
Special Agents Mutual Benefit Association Health Plan 13,942 Unauthorized Access/Disclosure
Guardian Pharmacy of Jacksonville Healthcare Provider 11,521 Hacking/IT Incident
Primary Health Care, Inc. Healthcare Provider 10,313 Unauthorized Access/Disclosure

March 2018 Healthcare Data Breaches by Covered Entity Type

No data breaches were reported by business associates of HIPAA-covered entities in March. The breach summaries published by the HHS’ Office for Civil Rights suggest there was no business associate involvement in any of the 29 incidents reported.

However, the largest reported incident – the breach at Middletown Medical – is marked as having no business associate involvement, when the breach notice uploaded to the provider’s website indicates the incident was caused by a subcontractor of a business associate. It is possible there were more security breaches in March that had some business associate involvement.

March 2018 Healthcare Data Breaches by Covered Entity Type

Records Exposed by Covered Entity Type

Unsurprisingly, given the number of incidents reported by healthcare providers, these incidents resulted in the highest number of exposed records – 154,325 records – followed by breaches at business associates/subcontractors – 63,551 records – and health plans – 50,334 records.

Breaches at business associates/subcontractors saw the highest number of records exposed per incident (Median & Mean = 63,551 records), followed by health plans (Median=13,943 records / Mean = 16,778 records), and healthcare providers (Median = 1,843 records / Mean = 6,173 records).

Location of Breached Protected Health Information

The main location of breached protected health information in March was portable electronic devices (laptops /other portable devices) with 9 incidents reported. Had encryption been used to protect ePHI on these devices, a breach of PHI could have easily been avoided.

The second biggest problem area was email with 8 reported incidents. These breaches include misdirected emails and phishing incidents.

Securing physical records continues to be a problem. There were five incidents reported in March that involved physical records such as paper and films.

Location of Breached Protected Health Information

March 2018 Healthcare Data Breaches by State

In March 2018, six states experienced multiple healthcare data breaches. While California usually tops the list for the most number of breaches, this month it was Massachusetts-based healthcare organizations that were the hardest hit, with 5 incidents reported.

California was in second place with four security incidents, followed by Missouri and New York with three, and Maryland and Texas with two. The 10 other states where breaches occurred were Arkansas, Colorado, District of Columbia, Florida, Georgia, Iowa, Illinois, Minnesota, Mississippi, and West Virginia.

Financial Penalties for Breaches and HIPAA Violations

There were no civil monetary penalties issued by the Department of Health and Human Services’ Office for Civil Rights in March, and no settlements with HIPAA-covered entities or business associates to resolve HIPAA violations.

The New York attorney general’s office has continued to take a hard line on companies discovered to have violated HIPAA Rules and suffered data breaches as a result with one further settlement reached in March.

Virtua Medical Group agreed to settle violations of HIPAA and state laws for $417,816. That penalty relates to the failure to secure an FTP server, although it was not the healthcare provider that was directly responsible. The error was made by a business associate of Virtua Medical Group.

The post Analysis of March 2018 Healthcare Data Breaches appeared first on HIPAA Journal.

HHS Report Offers Tips to Prevent and Block SamSam Ransomware Attacks

Posted by HIPAA Journal

The high volume of SamSam ransomware attacks on healthcare and government organizations in recent months has prompted the Department of Health and Human Services’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) to issue a report of ongoing SamSam ransomware campaigns. The report includes tips to help organizations detect and block SamSam ransomware attacks.

There Have Been 10 Major SamSam Ransomware Attacks in the Past 4 Months

Since December 2017, there have been 10 major attacks, mostly on government and healthcare organizations in the United States. Additional attacks have been reported in Canada and India.

In January 2018, the EHR provider AllScripts experienced an attack that saw its systems taken out of action for several days, preventing around 1,500 medical practices from accessing patient data. In some cases, those practices were prevented from accessing patient data for as long as a week.

In March 2018, the City of Atlanta was forced to shut down its IT systems to halt the spread of the ransomware. In that case, the attack leveraged a Windows Server Message Block V1 vulnerability on a public-facing server to install the ransomware – the same vulnerability that was exploited in the global WannaCry and NotPetya in May and June 2017.

Hancock Health was attacked and chose to pay the ransom as it was seen to be preferable to the ongoing disruption that would have been caused by recovering files from backups. Hancock Health was one of two hospitals in Indiana to experience an attack. The Colorado Department of Transportation suffered two separate SamSam ransomware attacks in February and March.

Other healthcare organizations to be attacked include Erie County Medical Center which saw an unpatched vulnerability exploited. In that case, the ransom was not paid, although it took six weeks for the medical center to fully recover at a cost of several million dollars.

While the healthcare industry appears to have been targeted, that is not necessarily the case. The HHS and Cisco Talos suggest several of the attacks have been opportunistic in nature. However, ransomware gangs have been known to target the government, healthcare, and education sectors. The major disruption to services and the cost of mitigating attacks in these industries makes it far more likely that the ransom payment will be made.

Different attack methods have been used by the threat actors behind SamSam ransomware, although the group is known to exploit vulnerabilities on public-facing servers. Compromised RDP/VNC servers (Remote Desktop Protocol/Virtual Network Computing) are a common denominator in several of the attacks.

The threat actors also scan for open RDP connections and conduct brute force attacks which take advantage of weak passwords.

Once access to a server is gained, ransomware is installed and spread laterally. The goal of the attack is to cause massive disruption. Even though backups exist in most cases and data can be recovered, the continued disruption to business operations while files are recovered makes payment of the ransom preferable. Even if the ransom is paid the cost is considerable. The City of Atlanta was reportedly issued a ransom demand of $6,800 per infected endpoint.

Tips to Prevent and Block SamSam Ransomware Attacks

Several vulnerabilities have been exploited to gain access to servers including JBoss, SMBv1, RDP, and others. It is therefore strongly recommended to conduct regular vulnerability scans and ensure good patch management practices are adopted. Strong passwords should be used, and controls implemented to enforce password policies.

HCCIC offers the following advice to prevent and block SamSam ransomware attacks:

  • Conduct an organization-wide risk analysis to identify risks to ePHI and implement security measures to remediate those risks – A requirement of the HIPAA Security Rule
  • Train end users to help them detect malicious software
  • Implement procedures to protect against malicious software and use software solutions that can rapidly identify an attack in progress to ensure rapid action can be taken to prevent the spread of the infection
  • Ensure all data is backed up regularly – A good backup strategy is the 3-2-1 approach – Ensure 3 backups are made, on two different media, with one copy stored securely off site.
  • Develop contingency plans to minimize business disruption in the event of a cyberattack
  • Develop procedures for responding to security incidents, including procedures specifically for ransomware attacks.

As for payment of the ransom, that carries a risk. There are no guarantees that the attackers will make good on their promise to send keys to unlock the data or that the keys supplied will work. It is essential to ensure that recovery is possible without paying the ransom.

The HCCIC report, which includes indicators of compromise, can be downloaded from the American Hospital Association on this link (PDF).

The post HHS Report Offers Tips to Prevent and Block SamSam Ransomware Attacks appeared first on HIPAA Journal.

How Long Does It Take to Breach a Healthcare Network?

Posted by HIPAA Journal

A recent survey of hackers, incident responders, and penetration testers has revealed the majority can gain access to a targeted system within 15 hours, but more than half of hackers (54%) take less than five hours to gain access to a system, identify sensitive data, and exfiltrate the data.

61% of Surveyed Hackers Took Less than 15 Hours to Obtain Healthcare Data

The data comes from the second annual Nuix Black Report and its survey of 112 hackers and penetration testers, 79% of which were based in the United States.

Respondents were asked about the time it takes to conduct attacks and steal data, the motivations for attacks, the techniques used, and the industries that offered the least resistance.

While the least protected industries were hospitality, retail, and the food and beverage industry, healthcare organizations were viewed as particularly soft targets. Healthcare, along with law firms, manufacturers, and sports and entertainment companies had below average results and were relatively easy to attack. As Nuix points out, many of the industries that were rated as soft targets are required to comply with industry standards for cybersecurity.

The retail and food and beverage industries are required to comply with Payment Card Industry Data Security Standard (PCI DSS) and healthcare organizations must comply with HITECH Act requirements and the HIPAA Security Rule, with the latter requiring safeguards to be implemented to ensure the confidentiality, integrity, and availability of healthcare data. As far as hackers are concerned, the data is certainly available. When asked how long it takes to breach the perimeter of a hospital or healthcare provider and exfiltrate useful data, 18% said less than 5 hours, 23% said 5-10 hours, and 20% said 10 to 15 hours. ‘Large numbers’ of hackers said they were able to identify and exfiltrate sensitive data within an hour of breaching the network perimeter.

Even though organizations are required to comply with certain standards for cybersecurity, that does not mean that appropriate safeguards are implemented, or that they are implemented correctly and are providing the required level of protection.

“Most organizations invest heavily in perimeter defenses such as firewalls and antivirus, and these are mandatory in many compliance regimes, but most of the hackers we surveyed found these countermeasures trivially easy to bypass,” said Chris Pogue, Head of Services, Security and Partner Integration at Nuix and lead author of the report.

How Are Hackers Gaining Access to Networks and Data?

The most popular types of attacks are social engineering (27%) and phishing attacks (22%), preferred by 49% of hackers. 28% preferred network attacks.  The popularity of ransomware has soared in recent years, yet it was not a preferred attack method, favored by only 3% of respondents to the survey.

Social engineering is used sometimes or always by 50% of attackers, with phishing emails by far the most popular social engineering method. 62% of hackers who use social engineering use phishing emails, physical social engineering on employees is used by 22%, and 16% obtain the information they need over the telephone.

The most commonly used tools for attacks were open source hacking tools and exploit packs, which combined are used by 80% of surveyed hackers.

Interestingly, while the threat landscape is constantly changing, hackers do not appear to change their tactics that often. Almost a quarter of hackers only change their attack methods once a year and 20% said they update their methods twice a year.

As for the motivation for the attacks, it is not always financial. 86% hack for the challenge, 35% for entertainment/mischief, and only 21% attack organizations for financial gain.

One take home message from the survey is just how important it is to implement security awareness programs and train staff cybersecurity best practices and to be alert to the threat from social engineering and phishing attacks. With almost half of hackers preferring these tactics, ensuring the workforce can identify phishing and social engineering attacks will greatly improve organizations’ security posture.

The post How Long Does It Take to Breach a Healthcare Network? appeared first on HIPAA Journal.

GAO Discovers Inconsistencies in CMS Oversight of Medicare Beneficiary Data Security

Posted by HIPAA Journal

In response to recent data breaches, the chairmen of the U.S Senate Committee on Finance, the House Committee on Ways and Means, and the House Committee on Energy and Commerce requested the U.S. Government Accountability Office conduct a study of HHS’ Centers for Medicare and Medicaid Services (CMS) to assess its efforts to protect Medicare beneficiary data accessed by external entities.

The study had three main objectives: To determine the major external entities that collect, store, and share Medicare beneficiary data, to determine whether the requirements for protection of Medicare data align with federal guidance, and to assess CMS oversight of the implementation of those requirements.

The study revealed the CMS has only established security requirements that align with federal guidance for some external entities and oversight of the implementation of security controls by external entities has been inconsistent.

The CMS shares Medicare beneficiary data with three main types of external entities: Medicare Administrative Contractors (MACs), research organizations, and public or private entities that use claims data to assess the performance of Medicare service providers and equipment suppliers.

Each year, MACS process more than 1.2 billion Medicare fee-for-service claims and interact with over 1.5 million healthcare providers. Healthcare providers submit Medicare fee-for-service claims to the MACs, who check and process the claims.

In order to process claims, MACs require access to the CMS virtual data centers (VDCs) and connect directly to via the CMSNet telecommunications network. The VDCs contain personally identifiable information and protected health information of Medicare beneficiaries.

Researchers are provided with access to beneficiary data to study how healthcare services are provided to beneficiaries. That research benefits the public through the improved delivery of healthcare services. Researchers apply to the CMS and are granted access to the specific dataset necessary for the research.

Researchers are required to enter into a data use agreement with the CMS which details the data that will be accessed, for what purpose, how long, and the requirements to ensure confidentiality and protection of the data.  They can either access the data electronically by connecting to the CMS’s Chronic Conditions Warehouse/Virtual Research Data Center (CCW/VRDC) via a secure network connection or receive copies of encrypted data sent via the U.S. mail.

Qualified entities that access claims data to assess the effectiveness of Medicare service providers and equipment suppliers can access the data via a Secure File Transfer System connection to the CCW/VRDC or can receive encrypted data via U.S. mail. They too are required to enter into a data use agreement with the CMS.

The GAO study revealed that requirements for implementing security controls in line with federal guidance have only been developed for MACs and qualified entities, but not for researchers as they are not CMS contractors. The failure to provide risk-based requirements for implementing security controls to researchers could mean security controls meeting CMS standards are not applied.

GAO also discovered that while an oversight program has been developed for the security of MAC data, there is no equivalent program for the data handled by researchers and qualified entities.

The lack of oversight of data security by those two types of external entities means the CMS cannot determine whether Medicare beneficiary data is being adequately protected.

While the CMS has overseen independent assessments of MACs which identify whether security controls have been implemented correctly, there has been inconsistent tracking and monitoring of vulnerabilities identified by those assessments and the actions taken to correct those issues. The CMS therefore cannot be sure that all security gaps have been addressed in a timely fashion.

  • To ensure the security of Medicare beneficiary data, GAO has made three recommendations. The CMS should develop security guidance for researchers defining the minimum security controls that must be implemented and ensure the guidance is consistent with NIST guidelines.
  • All findings of MAC assessments should be classified and tracked, and processes and procedures should be developed to ensure researchers and qualified entities have implemented information security controls.
  • The CMS should also establish an effective oversight program for all external entities that access Medicare beneficiary data.

The CMS concurred with all three GAO recommendations.

The post GAO Discovers Inconsistencies in CMS Oversight of Medicare Beneficiary Data Security appeared first on HIPAA Journal.

Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks

Posted by HIPAA Journal

A recent study conducted by the Ponemon Institute on behalf of Merlin International has revealed healthcare organizations are failing to provide sufficient security awareness training to their employees, which is hampering efforts to improve security posture.

Phishing is a major security threat and the healthcare industry is being heavily targeted. Phishing offers threat actors an easy way to bypass healthcare organizations’ security defenses. Threat actors are now using sophisticated tactics to evade detection by security solutions and get their emails delivered. Social engineering techniques are used to fool employees into responding to phishing emails and disclose their login credentials or install malware.

Phishing is used in a high percentage of cyberattacks on healthcare organizations. Research conducted by Cofense (formerly PhishMe) suggests as many as 91% of cyberattacks start with a phishing email. While security solutions can be implemented to block the majority of phishing emails from being delivered to end users’ inboxes, it is not possible to block 100% of malicious emails. Security awareness training is therefore essential.

Healthcare employees should be trained how to recognize phishing emails and how to respond when potentially malicious messages are received. Training should be provided to help eliminate risky behaviors and teach cybersecurity best practices. The failure to provide sufficient training leaves healthcare organizations at risk of attack.

The Ponemon/Merlin International study on 627 healthcare executives in the United States suggests healthcare organizations are not doing enough to improve security awareness and develop a security culture.  More than half of respondents (52%) said the lack of security awareness was affecting their organization’s security posture.

The Merlin International report, 2018 Impact of Cyber Insecurity on Healthcare Organizations, revealed 62% of respondents have experienced a cyberattack in the past 12 months, with half of those incidents resulting in the loss of healthcare data. Poor security awareness is contributing to a high percentage of those breaches.

When asked about the biggest concerns, there was an equal split between external attacks by hackers and internal breaches due to errors and employee negligence – 63% and 64% respectively.

The main threats to the confidentiality, integrity, and availability of healthcare data were perceived to be unsecured medical devices (78%), BYOD (76%) and insecure mobile devices (72%).

57% of respondents felt use of the cloud, mobile, and IoT technologies has increased the number of vulnerabilities that could be exploited to gain access to healthcare data. 55% of respondents said medical devices were not included in their cybersecurity strategy and the continued use of legacy systems was seen to be a security issue by 58% of respondents.

Even though 62% of organizations have experienced a data breach in the last year and it is a requirement for HIPAA compliance, 51% of organizations have not developed an incident response program that allows them to rapidly respond and remediate breaches.

Staffing was seen to be the biggest roadblock preventing organizations from improving their security posture. 74% believed a lack of suitable staff was a major issue hampering efforts to improve cybersecurity. 60% of respondents do not believe they have the right cybersecurity qualifications in house and only 51% of surveyed organizations have appointed a CISO.

“Healthcare organizations must get even more serious about cybersecurity to protect themselves and their patients from losing access to or control of the proprietary and personal information and systems the industry depends on to provide essential care,” said Brian Wells, Director of Healthcare Strategy at Merlin International.

The post Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks appeared first on HIPAA Journal.

Study Reveals Poor Patching Practices in Healthcare

Posted by HIPAA Journal

A recent survey conducted by the Ponemon Institute on behalf of ServiceNow has revealed the healthcare and pharmaceutical industries are struggling to keep on top of patching. Vulnerabilities are not being patched promptly leaving organizations open to attack.

The survey was conducted on 3,000 security professionals from organizations with more than 1,000 employees across a broad range of industry sectors and countries. The results of the survey were published in the report: Today’s State of Vulnerability Response: Patch Work Demands Attention.

The report revealed 57% of respondents had experienced at least one data breach where access to the network was gained by exploiting a vulnerability for which a patch had previously been released. A third of respondents said that they were aware that the vulnerability existed and a patch was available prior to the breach. More alarming was two third of organizations did not know they were vulnerable to attack.

Even though there is a considerable risk of vulnerabilities being exploited, 37% of respondents said they do not scan for vulnerabilities and therefore cannot be sure all vulnerabilities are identified and addressed. The healthcare and pharmaceutical industries were slightly better than average, although 28% of IT security professionals from those industries said vulnerability scanning was not performed.

65% of cybersecurity professionals said they find it difficult to prioritize patching and determine what software should be patched first. 61% said manual processes were putting them at a disadvantage when patching vulnerabilities, and an average of 12 days were being lost coordinating patching activities across teams.

More than three quarters of IT security professionals felt the delay in patching vulnerabilities was due to a shortage of staff. They simply did not have enough employees to keep on top of patching. On average, 321 hours a week are being spent on vulnerability management, but even so, medium to low priority patches are still taking eight weeks or longer to be applied.

60% of respondents saying they were recruiting more staff in the next 12 months to help speed up the patching of vulnerabilities. On average, organizations are looking to hire four new employees solely for vulnerability response.

Deciding to hire more staff is one thing. Recruiting staff is another. There is a shortage of skilled IT staff and the problem is getting worse. According to a recent survey conducted by the advocacy group ISACA, by 2019 there will be 2 million unfilled cybersecurity positions.

Even if staff can be recruited, there is no guarantee that security posture can be significantly improved. While additional staff could certainly help some companies, the report suggests there is a patching paradox – hiring more staff does not mean better security.

“Adding more talent alone won’t address the core issue plaguing today’s security teams,” said ServiceNow Security and Risk Vice President and General Manager Sean Convery. “Automating routine processes and prioritizing vulnerabilities helps organizations avoid the ‘patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach.”

The Ponemon Institute/ServiceNow report offers five recommendations that can help organizations develop a roadmap to a better security posture.

  • Take an unbiased inventory of vulnerability response capabilities.
  • Accelerate time-to-benefit by tackling low-hanging fruit first.
  • Break down data barriers between security and IT to regain lost time spend coordinating between the two
  • Define and optimize end-to-end vulnerability response processes and then automate as much as you can.
  • Retain talent by focusing on culture and environment.

The post Study Reveals Poor Patching Practices in Healthcare appeared first on HIPAA Journal.

HIPAA Compliance for Pharmacies

Posted by HIPAA Journal

HIPAA is a federal law that establishes the acceptable uses and disclosures of protected health information (PHI), sets standards for the secure storage and transmission of PHI, and gives patients the right to obtain copies of their PHI. HIPAA compliance for pharmacies is not an option. The penalties for failing to comply with HIPAA can be severe.

Key Elements of HIPAA Compliance for Pharmacies

The combined text of HIPAA Rules published by the Department of Health and Human Services’ Office for Civil Rights is 115 pages, so covering all elements of HIPAA compliance for pharmacies is beyond the scope of this post; however, some of the key elements of HIPAA compliance for pharmacies have been outlined below.

Conduct risk analyses – A comprehensive, organization wide risk analysis must be conducted to identify all risks to the confidentiality, integrity, and availability of ePHI. Any risks identified must be subjected to a HIPAA-compliant risk management process. A risk analysis is not a onetime checkbox item. Risk analyses must be conducted regularly, such as when there is a change to business practices or new technology is introduced.

Safeguard PHI at all times – One of the most important aspects of HIPAA compliance for pharmacies is ensuring safeguards are implemented to ensure the confidentiality, integrity, and availability of physical and electronic PHI. Pharmacies can decide on the best safeguards to implement with decisions guided by the findings of the risk analysis.

Appoint a privacy officer – A privacy officer must be appointed. Any member of staff can be your designated privacy officer. That person’s responsibility is to ensure policies and procedures are followed, documentation and filing is performed correctly, and patient requests for PHI are responded to in a timely manner. The privacy officer must also monitor for changes to HIPAA regulations and work with the owner or manager to ensure continued compliance.

Obtain authorizations – HIPAA permits the use of PHI for treatment purposes, requesting or receiving payment, or pharmacy operations. Any other use or disclosure of PHI must be authorized by the patient in writing prior to PHI being used or disclosed.

Obtain business associate agreements – A third party that needs access to PHI or copies of PHI to perform a service on behalf of the pharmacy is classed as a business associate and is also required to comply with HIPAA Rules. A business associate must provide reasonable assurances to the covered entity, by means of a business associate agreement, that the requirements of HIPAA have been understood and that HIPAA Rules will be followed.

Ensure PHI is not impermissibly disclosed – Accidentally or deliberately disclosing PHI for reasons not permitted by the Privacy Rule can cause considerable harm to patients. Policies and procedures must be developed and implemented to reduce the risk of impermissible disclosures. Care must be taken not to disclose more than the ‘minimum necessary’ PHI.

Provide patients with copies of their PHI – The HIPAA Privacy Rule gives patients the right to obtain copies of their PHI on request. While that right is typically exercised with healthcare providers, pharmacies must also provide copies of pharmacy records related to an individual if requested.

Dispose of PHI correctly – PHI such as prescription labels and documents must be disposed of in a manner that prevents the PHI from being viewed or reconstructed. Paperwork such as labels should be shredded, pulverized, pulped, or incinerated. ePHI on electronic devices must be permanently erased before disposal.

Provide training to staff – All pharmacy staff are required to comply with HIPAA Rules, as well as volunteers and interns that are required to come into contact with PHI. All staff must be trained and made aware of HIPAA Rules that apply to them and what constitutes PHI.  Training should be provided as soon as possible with refresher training provided regularly. Pharmacies must also provide security awareness training to staff.

Inform patients of privacy practices – All HIPAA covered entities must document their privacy practices and share that information with patients. Signatures should be obtained from patients confirming they have received the notice of privacy practices.

Notify patients/OCR of a privacy breach – Patients must be informed when their PHI has been exposed or stolen and OCR must also be notified. Notifications must be sent to patients and OCR within 60 days of the discovery of a breach. OCR can be notified of a breach impacting fewer than 500 individuals no later than 60 days from the end of the calendar year in which the breach occurred.

Since HIPAA compliance for pharmacies can be complex and the penalties for noncompliance severe, we suggest contacting a compliance specialist who will be able to walk you through the steps you need to take to comply with all aspects of HIPAA Rules. Alternatively, if you are unsure about any aspect of HIPAA compliance for pharmacies, contact a healthcare attorney.

Penalties for HIPAA Violations by Pharmacies

It doesn’t matter how large or small your business is, HIPAA compliance for pharmacies is not optional. There have been several penalties for HIPAA violations by pharmacies over the past few years. Not only can HIPAA violations attract a significant fine, they can also seriously damage the reputation of your pharmacy.

The HHS’ Office for Civil Rights has increased enforcement activity in the past two years and fines and settlements over HIPAA violations are now far more common. State attorneys general are also taking action over privacy breaches and are pursuing financial settlements when PHI is exposed or impermissibly disclosed. State attorneys general can issue fines up to $250,000 for violations of the same type that are experienced in a single year. The HHS’ Office for Civil Rights can issue fines up to $1.5 million per violation category, per year.

  • In 2009, CVS Pharmacy settled potential HIPAA violations with OCR for $2.25 million after it was discovered prescription bottles and receipts had been disposed of improperly.
  • In 2010, Rite Aid Corp settled with OCR for $1 million to resolve violations of HIPAA relating to the improper disposal of PHI.
  • In 2014, Walgreens was fined $1.4 million for the impermissible disclosure of a patient’s PHI. A pharmacist shared a patient’s PHI with her husband and at least three other people.
  • In 2015, Cornell Pharmacy, a small pharmacy in Denver, was fined $125,000 for the improper disposal of PHI.

The post HIPAA Compliance for Pharmacies appeared first on HIPAA Journal.